If I’m using Hyper-V, what other services should run in the host OS?

  • Article

rwagg-white small

Rob Waggoner

 WinServer12_Blu286_S_rgb

Question:

If I’m using Hyper-V, what other services should run in the host OS? More to the point: Can I run my business applications in the Host OS?

Answer:

Our advice is to not run anything more than the management UI in the Host OS. No AD, DNS, file services, or other applications like SQL, Exchange, or third party applications should be run in the host OS.

Exceptions:

There can be exceptions for things like Anti-virus or tape backup software, if you still use tapes; but as a rule, please put your applications in separate VMs.

More Detail:

I receive this question a lot and want to spend a few minutes discussing why we provide this guidance. Bottom line, putting additional workloads on the Host OS will reduce your ability to move workloads and put you at a disadvantage as the resource utilization on the server increases.

Here is a deeper discussion into why we make this recommendation:

When you install Windows Server on your hardware, the server OS is installed on the bare metal like we’d expect. I’ve included a few pictures to help us out…

Here is a new installation of Windows Server before the Hyper-V role is installed. Notice that the Windows Server installation sits on the actual hardware. 

Now look at what happens when we install the Hyper-V role (which is available in Windows Server 2008 and above):

image Notice that there is now a Windows hypervisor between the Windows Server OS and the Server Hardware

Hyper-V inserts itself between the hardware and the host OS. The operating system is now considered in the “Parent Partition”. 

As you see from the picture above, when we install the Hyper-V role, things change. Let’s talk about what changed and why we shouldn’t install any other applications in the “Parent Partition”. 

First, what changed: The Windows hypervisor has been installed between the hardware and the base server installation making the base server installation look and behave like a Virtual Machine on the Windows hypervisor. We now call this base server installation the “Parent Partition”. 

Please note: the “Parent Partition” is a very special virtual machine and “it” cannot managed as a virtual machine. “It” cannot be turned off. When you ask the “Parent Partition” to shut down, you are actually shutting down all of the VMs on that server and turning off the physical server.

What about this change requires us to move away from installing applications in this new “Parent Partition”?

  1. The Parent Partition is a special virtual machine. It’s the only virtual machine that is able to interact with the actual hardware. 
  2. Architecturally speaking, we want your business applications running in their own isolated VM. This way you can manage the business workloads separately from the hardware and your physical infrastructure.
  3. The Parent Partition is not mobile like the other Virtual Machines because it is tied to the actual hardware. Again, you won’t manage Parent as a VM, just know that architecturally it is a VM and just use it as the management UI for the host.
  4. In the Planning for Hyper-V Security article, we encourage you not to install software in the Parent Partition because the software can have access to the actual hardware. If the software is running as a administrator, it has the ability to stop (and even delete) all of the virtual machines on that host. 
  5. When you look at the third picture below, you see that the “Parent Partition” sits side by side with the other VMs. I view the parent partition as a VM that receives less attention than the other VMs. That’s because it is only used for management. 
  6. From a licensing perspective, which is applicable in Windows Server Standard, you are only allowed to run two new Windows Server workloads with a single license. Of course you can stack Windows Server licenses to add additional VMs to your host. Check out the Product Use Rights (PUR) for all of the details, but it basically says that you can run two VMs if and only if the host OS is only running services to support the Hypervisor. This means, no AD, DNS, DHCP in the Host OS (i.e. Parent Partition).
  7. We now allow Windows Server Essentials to be installed on the Hardware and as a VM. Check this article for all of the details, and this article that talks specifically about Hyper-V Replica and Windows Server Essentials.
  8. The Parent Partition even exists on Windows Server Core Installations, it is just has a much smaller footprint because it doesn’t have to support the whole UI.
  9. In Windows Server 2012 and 2012 R2, you now have a third level of UI as opposed to the two levels (Core and full UI) in Server 2008. Server 2012 adds a new level of UI, called the “Minimal Server Interface” which just enables the graphical management tools without installing the full graphical interface and tools (like Internet Explorer and Windows Explorer). You cannot install this “Minimal Server Interface” UI from the standard installation media. Once you install your server, you can add it to your Server Core installation or remove the additional UI from your full UI install. Think of this “Minimal Server Interface” as better than server core because you will have the graphical management tools available, but less than everything the full UI installation includes. There are more details about it here. There is a section about half way down in the article that compares the different UIs.
image See that the “Parent Partition” sits side by side with the other VMs.

My ask:

As I mentioned in the beginning of this blog, I have this discussion fairly often. Now that you have a better understanding of the Hyper-V architecture, I have a couple of favors to ask:

  1. As a rule, please do not install additional applications in the Parent Partition.
  2. Please do not “think” or “worry” about the Parent Partition as a virtual machine. Just view it as the Management UI for your Hyper-V host. 

Below is some additional information around setting up a Server with Hyper-V. Your customers’ corporate security policies may require anti-virus on every server installation (including the Parent Partition). If you are inclined to install anti-virus on the Parent Partition, keep in mind that there are a few well documented ways to do this so it doesn’t impact your virtual machine performance. I’ve included the article below as well.

Additional Resources:

Planning for Hyper-V Security

https://technet.microsoft.com/en-us/library/cc974516.aspx

This note explicitly says “Do not run any applications in the parent partition. ” Anti-virus can be one of the few exceptions to this rule, if so check out the Microsoft Anti-Virus Exclusion List (below) to make sure your anti-virus solution does not conflict with your virtual machines.

Virtual machines are missing, …

https://support.microsoft.com/kb/961804/en-us

Microsoft Anti-Virus Exclusion List

https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

 

Until next time,

Rob

Technorati Tags: Hyper-V Architecture,Windows Server 2012 R2